Complying with European data protection harmony
March 2016 | FEATURE | DATA PRIVACY
Financier Worldwide Magazine
Like it or not, today we live in an age of data, one of the consequences of which is a raft of rules and regulations purportedly designed to assist global firms as they go about the business of doing business.
Yet some legislation can prove problematic to implement. One case in point is the General Data Protection Regulation (GDPR), due to come into force in 2018. To summarise, the GDPR is the outcome of the European Commission’s desire to unify the various data protection laws that currently exist within the European Union (EU) into a single law, which will replace the current legislation in this space – the Data Protection Directive 95/46/EC, part of the EU privacy and human rights law.
However, a recent report, ‘Data privacy laws: cutting the red tape’, commissioned by Intralinks and carried out by Ovum Ltd, found that over 50 percent of global businesses expect to be fined as a result of non-compliance with the GDPR. Furthermore, the extent of the fines is “potentially four percent of global revenue”, meaning a penalty running into billions for the world’s biggest companies.
Compliance, therefore, is proving to be a problem for many companies and a drastic re-think of their global business strategies appears necessary as the countdown to the GDPR continues.
The extent of non-compliance
“Non-compliance with the GDPR is forecast as a result of proposed increased requirement placed upon firms to take greater care with the processing of personal data as well as the storage of such data,” explains Mike Gillespie, managing director of Advent IM Ltd and director of Cyber Research and Strategy for the Security Institute. “Personnel who wish to have their personal data expunged need only to inform the relevant firm accordingly, which then places the onus clearly upon the firm in question. And although not impossible to achieve, it is relatively difficult to completely remove every piece of personal data related to one individual from a database as she may be linked or associated with another person.”
From a GDPR perspective, it is this difficulty in removing data that is likely to be viewed as non-compliance, with firms being fined accordingly; though, as Mr Gillespie points out, if there is a legal or justifiable requirement to retain the data, then this should be clearly communicated to the individual concerned.
“The emphasis will be on accountability like never before – having robust, demonstrable controls in place in relation to all data processing activities they undertake, whether themselves or using third party partners,” asserts Scott Semel, executive vice president and general counsel for Intralinks. “This focus on protecting and managing personal information needs to be prioritised in current strategies, practices and processes worldwide.”
With businesses increasingly relying on cloud computing and software-as-a-service (SaaS), as well as moving to mobile computing platforms, data location control, high security standards and privacy regulations compliance are all key data protection challenges.
Re-thinking global strategies
What, then, are the steps that global businesses should be taking as regards their global business strategies? Firstly, any global business strategy related to information security should encompass essential areas such as transparency, ownership, legal requirements, technical solutions and policies and procedures. These areas should also encourage a good security culture within the firm which, when coupled with appropriate technologies, can be a really effective data protection solution. At the same time, it should be clear to any firm that technological solutions alone are not necessarily the best option to increase security, as a high percentage of security breaches are a result of poor practices undertaken by staff, or inappropriate or outdated policies and procedures.
“Companies should re-think their global business strategies to ensure that they clearly adhere to the relevant legal requirements related to the country in which they conduct their business,” suggests Mr Gillespie. “Although there is a requirement for all firms to adhere to the GDPR, there is also the possibility that additional, more restrictive legal requirements will be placed upon companies within certain countries.”
For Mr Semel, companies need to carefully assess how they manage and control the flow of information – information which is often embedded into the fabric of longstanding business processes and practices. “A priority is to identify data flows and locations, where privacy is core to the business’ processes and, critically, who is accountable for overseeing privacy compliance,” he attests. “Optionality is critical because laws vary across the globe, and change rapidly. Vendors should be able to answer questions about logical and physical data location, security controls and have service contracts that are robust and offer flexibility. Now, more than ever before, organisations need agile technology options that will help them to react to rapidly changing regulation.”
A compliant future?
Clearly, the need to comply with the GDPR is going to force many businesses operating in Europe to fundamentally change the way they manage and share many kinds of personally identifiable information. And although near-term penalties for GDPR non-compliance may appear harsh, the possibility of long-term reputational damage may provide companies with a more far-reaching legacy if data protection harmony proves to be insurmountable.
© Financier Worldwide